Vulnerability Description
Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, which can then be used to create new administrative users or perform other actions using the administrator's session.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Contact-Form-7-Datepicker Project | Contact-Form-7-Datepicker | <= 2.6.0 |
Related Weaknesses (CWE)
References
- https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-leads-to-closExploitThird Party Advisory
- https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-leads-to-closExploitThird Party Advisory
FAQ
What is CVE-2020-11516?
CVE-2020-11516 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unp...
How severe is CVE-2020-11516?
CVE-2020-11516 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11516?
Check the references section above for vendor advisories and patch information. Affected products include: Contact-Form-7-Datepicker Project Contact-Form-7-Datepicker.